TR Forums

Over the weekend I finally got my new Windows Home Server up and running. The great thing about it is that it's got a ton of functionality, but that makes setting it up all the more hard .

The home server has the ability to connect to the internet to have all sorts of "personal cloud" like behavior, but I'm not ready for that (yet). Ideally, I'd like to block all IP traffic save for windows updates, but I'm having trouble figuring out the best way (meaning most efficient, and most safe). So should I:

• Setup Windows Firewall to do this except for Windows Update
• Stop IP traffic at the router level except for Windows Update
• Turn off the IP traffic entirely at the server level and just remind myself to check for updates monthly

The last one is definitely the easiest, but isn't the most interesting (and I'm not 100% on how to do the other two, so it would be a learning experience). What do you guys think?

Sounds like a terrible solution to a non-existent problem. If you are behind NAT, you shouldn't be worrying about open ports within your internal network*. If your network isn't secure, then there are far easier/better ways to secure it before you attempt to harden devices.

*If there is an application/service that provides remote access AND is enabled AND uses uPnP AND your router suppors uPnP AND has it enabled AND you don't have a strong password in place, then you should worry. Rectifying any of these conditions is easier than playing IP whack-a-mole.

I agree. If you don't want to use those "personal cloud" services yet you should be able to turn them off from WHS console. Is this security driven or bandwidth cap driven? Windows Update you definitely can configure to "never check" but you run the risk of forgetting a critical patch. I set at "remind me of updates" so there is a little bit bandwidth involved.

If you have no need to do remote desktop over WHS and the web sharing stuff, most definitely turn those services off and hopefully IIS will not be running amok. But without port-forwarding behind NAT there is really not much the WHS server "leaks" to the public internet.

I suppose you guys are right. This was a security driven decision, but I usually set windows to "Alert me, but don't download or install". I ultimately did block all IP traffic on the WHS box at the router level and set a scheduled task to remind me of updates on the router level, just to be safe for the time being. Though as you're saying (and I'm reading elsewhere) WHS does a very good job of keeping things secure by default.

I'm just of the mindset that running any windows box connected to the internet without A/V is taboo. I can't be bothered to buy an A/V solution for WHS when I can just block it from the internet for free when I don't use any of the online features (yet).

Anyway, thanks for the feedback.

Ryhadar wrote:

I'm just of the mindset that running any windows box connected to the internet without A/V is taboo.

Unless you are running your own programs on the WHS box (it is usually headless and you just use it for file sharing and media serving, right?), even if the files you put on there are infected it is just "dumb" storage. When you access the file(s) from your own box then the antirvirus scanner on it should go to work. You have it installed on your own day-to-day box, right?

axeman wrote:

You can't install MSE on WHS?

No, it is considered a server product (v1 = Server 2003, 2011 = Server 2008 R2). Look at this thread for details.

i agree with everyone on this since its WHS there is no reason to block the internet from it. and if you don't want the remote access feature turned on do the following open the Dashboard > click Server Settings> Remote Access > click turn off if it says turn on then its already disabled. but if you're that set on block internet traffic then go to windows firewall and block all incoming traffic on port 80 and 443

EV42TMAN wrote:

i agree with everyone on this since its WHS there is no reason to block the internet from it. and if you don't want the remote access feature turned on do the following open the Dashboard > click Server Settings> Remote Access > click turn off if it says turn on then its already disabled. but if you're that set on block internet traffic then go to windows firewall and block all incoming traffic on port 80 and 443

Nowadays who isn't running behind a NAT router/firewall?

Well, there is some grain of sanity behind the wish to cut all ports to Internet for a server that might hold private financial data and that like.

Servers are sort-of secure by default, but there are tons of gotchas... Windows server has RDC disabled by default, but remote registry enabled by default. Connect to remote registry, change setting, shutdown -r -m //someserver, and you have the RDC enabled. And so on. Windows 7 homegroup is configured to be on by default, mark the network inside your routed network as home or office network, script kiddie cracks the WAP and your files are toast. UPNP - enabled on all consumer routers by default, apps like Skype will kick and create their own server as soon as they see they have a connection.

And honestly, security settings on all modern machines are hard enough that rarely anyone knows how to handle them.

I hate this cloud thing, it should be opt-in, not opt-out.

Madman wrote:

I hate this cloud thing, it should be opt-in, not opt-out.

^ this.